Kerberos is case-sensitive in many places and the error messages (or lack
thereof) may not be sufficiently explanatory. Check the case sensitivity of the
service principal in your configuration files. Convention is
HTTP/fully.qualified.domain@REALM.

Some browsers (legacy IE) do not support recent encryption algorithms such as
AES, and are restricted to legacy algorithms (DES). This should be noted when
generating keytabs.

The KDC must be configured and a service principal defined for NiFi and a keytab
exported. Comprehensive instructions for Kerberos server configuration and
administration are beyond the scope of this document (see MIT
Kerberos Admin Guide), but an example is below:

Adding a service principal for a server at nifi.nifi.apache.org and
exporting the keytab from the KDC: